User changed file permission on his domain system, need to reset back to original settings.

I have a domain user who I can only guess changed the security permission on his system. The user has administrative rights to his own system and I have access to the Administrator account only when logged into the local system.
The user is receiving multiple errors each stating something related to security permissions that is preventing the user from running certain applications, deleting files, removing applications through the control panel and so on.
What is the best was to get things back to normal? I have a backup of the users profile including Desktop, My Documents and so on. To this point I have used the Administrator's account on the local system (not the domain login) to take ownership of the entire c: partition. Should the next step be to delete the users profiles and then recreate it?
Not sure what is the best way to correct this issue. One additional note the HP Smart Web Printing application runs with each log in and states a permission error. I have been unable to uninstall this application using the local admin account logged into the local system even through I took ownership of the entire c partition which the application is installed under.
Thanking any and all for your technical support on these issues.

I'm not sure I understand completely what your problem is, but if I am then follow this information. Go to your RUN menu and bring up your group policy editor (gpedit.msc) and select the following: Select Admin Templates, system, User profiles then select the "Add the Admin security group to roaming user profiles". Read the information on this because I think it will allow you to retreive and retain the access your need as the admin.

The users do not have local login only Domain logins but they do have to
have admin rights to their systems under their domain login. This is a
requirement because of some of the custom software that they use.

I have tried to restore the permission logged in as the user and as the
local admin and as the admin under the domain login but to this point
all have failed. Not sure if I am doing something wrong or missing a
step.

If you have any ideas or step by step instructions it would be
appreciated. It feels like trying to spell check your own writing and I
keep missing something.

Users need Create permissions to create new folders. If you manage the
permissions correctly to the shares/folders then you can prevent this.
Modify permissions are needed to move files around, and to save changes
to existing folders.

Hello.
the quick and dirty way to resolve the issue is to:
1. Log in the machine as the Domain Admin (NOT local admin)
2. Use the Admin tools applet to delete the user from the local machine
3. On your domain controller, lock out user account (red x). Make new
account, domain users only
The reason is that the local machine admin in Windows can gain certain
rights in your domian.
Remember the inheited objects. Could be trouble if user was compormised.
By using Domain Admin logon, YOU control (or override) all local admin
objects. This is important.
You can, if you want, recreate user profile (using local admin).
Hopes this helps.
Louis

The Domain Administrator's are added to the system and still there is an
issue. Users have admin rights to their own system and I am not sure
what this user did but it appears that he tried to share a folder and
because others could not see it he used the security tab and changed
permissions. At present the only established account that has full
permissions to the entire c partition is the Administrator of the local
system. Administrators group "under the domain" do not have file
permissions as they are unable to even access the Windows directory.

Any suggestions as to how to get permissions back to the user. At
present many applications will not run as each time there is a security
message indicating that there is a permission issue. All the
applications were installed using the users account because as I stated
each user has admin rights to their own system.

I don't have a solution for you, but this is exactly why I do not allow any
local logons except in unusual circumstances and *never* allow anyone
(except an administrator) admin rights to a local computer. It's, as you
have found out, a recipe for disaster. All our users do a domain logon. The
only local account on virtually all computers is for the administrator..

Is there a reason you can't get the user in question to restore the correct
permissions? Or log on as the local administrator and do it?

The security rights on the root folder (C:\) are inherited by many folders in the tree.
So, if you have a machine whose security wasn't altered by a user, you could check the security on C:\ and then fix the rights on the altered system. You could also set these rights in Group Policy (Computer Configuration -> Windows Settings -> Security Settings -> File System). Add the %Systemdrive% variable and set the rights to what they are supposed to be.
Richard A. Cromi
System Analyst
Stark County District Library
715 Market Ave. N.
Canton, OH. 44702
Phone: 330-458-3142
Email: email@removed

Open local policy, security. See if any values have been changed. If you are
unsure, then set them all back to default. As a member of a Domain, the will
should be overridden anyway . if there is a conflict. However, if the value
is not addressed at the Domain level (OU or Site level).there may be local
changes which are active when logged on at the server.

Local folder permissions are not the same as Network permissions. As you
know, shares which Everyone/Domain users have access to over the network,
can be inaccessible, when you are logged in at the local level.

Check system log, security log, audit log for errors when you attempt to
access the files/folder at local and network level then compare the
differences.

Run GPresult on the system in question - then run GPresult on another system
which is not showing these symptoms.

Bottom line; this may be a case where even if you find and fix the issue,
you might want to decide if it is a effective use of your time? What is
Network/LAN directive when it comes to these kinds of user self-inflicted
problems? Is it possible to just "declare victory" and move on to the next
crisis? Or are you committed to slough through this quagmire, regardless of
the resources require?

Hello,
This depends on how you want to do this.
As you know, servers, by default, are meant to share. All users, by
default, can create folders and, if they are the creator, can assign rights
to that folder. Here is where it get fun.
If the user is a domain user, then he or she cannot lock everybody out of a
folder.
If the user is a administrator, you can take ownership of the folder.
admins can set
special permissions, lock out or read-only the share.
So, just take ownership and set the permissions however you like.
Hope this Helps.
Louis